AVideo - Arbitrary User Session Hijacking via Meet Plugin uploadRecordedVideo Endpoint

An attacker first obtains the Meet shared secret, which is computed as `md5($global['systemRootPath'] . $global['salt'] . "meet")` (Meet.php:73) — obtainable via path-traversal CVEs that leak `videos/configuration.php` or via a timing oracle on `checkToken.json.php` [ref_id=1]. With the secret in hand, the attacker POSTs a crafted multipart request to `uploadRecordedVideo.json.php` with `Authorization: Bearer <secret>` and a file whose filename is `1-anything.mp4` (where `1` is the admin's `users_id`). The endpoint passes the shared-secret check, parses `users_id=1` from the filename, and calls `$userObject->login(true, true)` which sets `$_SESSION['user']`, issues a new `PHPSESSID` via `_session_regenerate_id()`, and returns `Set-Cookie` headers. The attacker captures that session cookie and uses it to impersonate the admin user, achieving full account takeover [ref_id=1].

The vulnerability resides in `plugin/Meet/uploadRecordedVideo.json.php` (lines 56–65) where `$users_id = explode('-', $_FILES['upl']['name'])[0];` parses the target user identifier from the attacker-controlled filename, and in `objects/user.php` (User::login() no-password branch, lines 1276–1310) which commits a session for that user without any password check. The Meet shared-secret check at line 46 (`$objM->secret != $token`) only authenticates the caller as a trusted recorder but does not verify ownership of the parsed `users_id`.

The suggested fix removes the trust in the filename by requiring a signed claim (e.g., a JWT minted at meeting-create time) that binds `users_id` to the upload request, and replaces the passwordless `User->login()` call with a parameter that credits the upload to the user without establishing a session [ref_id=1]. Additionally, the fix recommends using `hash_equals` for secret comparison to prevent timing attacks, and either removing `checkToken.json.php` or gating it behind admin authentication. These changes ensure that even if the shared secret is compromised, an attacker cannot forge a `users_id` or obtain a session cookie from the upload endpoint.